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Abstract.  We  introduce  the  class  of  r.vr.ul.-ir.cviding  limr.d  aiUomiitu 
(F,RA).  An  even  I- recording  automaton  contains,  for  every  event  a,  a 
clock  that  records  the  time  of  the  last  occurrence  of  «.  The  class  FRA  is, 
on  one  hand,  expressive  enough  to  model  (finite)  timed  transition  sys¬ 
tems  and,  on  the  other  hand,  delermirii'/.ahle  and  closed  under  all  boolean 
operations.  As  a  result,  the  language  inclusion  problem  is  decidable  for 
event- recording  a.utomata.  We  present  a  translation  from  timed  transi¬ 
tion  systems  to  event-recording  automata,  which  lends  to  a.n  algorithm 
for  checking  if  two  timed  transition  systems  have  the  same  set  of  timed 
behaviors. 

We  also  consider  r.vr.id-jimlif.lintj  limr.d  nultimnln  ( FPA),  which  contain 
clocks  that  predict  I  he  time  of  the  next  occurrence  of  an  event.  The  class 
of  r.vr.n  /.-  tdttr.k  nvlftmtil.it  ( F.OA),  which  contain  both  even  I- recording  and 
event-predicting  clocks,  is  a  suitable  specification  language  for  real-time 
properties.  We  provide  an  algorithm  for  checking  iT  a  timed  automaton 
meets  a  specification  I  hat  is  given  as  an  event-clock  automaton. 
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1  Introduction 

Finite  automata  arc  instrumental  for  the  modeling  and  analysis  of  many  phenom¬ 
ena  within  computer  science.  In  particular,  n,utomn.t.a  theory  plays  an  important 
role  in  the  verification  of  concurrent  finite-state  systems  [10,  16].  In  the  trace 
model  for  concurrent  computation,  a  system  is  identified  with  its  behaviors.  As¬ 
suming  that.  a.  behavior  is  represented  as  a  sequence  of  states  or  events,  the 
possible  behaviors  of  a  system  can  be  viewed  as  a.  formal  language,  and  the  sys¬ 
tem  can  be  modeled  as  an  automaton  that,  generates  the  language  (a.  complex 
system  is  modeled  as  the  product,  of  automata  that,  represent  the  component, 
systems).  Since  the  admissible  behaviors  of  the  system  also  constitute  a.  formal 
language,  the  requirements  specification  can  be  given  by  another  automaton 
(the  adequacy  of  automata  as  a.  specification  formalism  is  justified  by  the  fact, 
that  competing  formalisms  such  as  linear  temporal  logic,  are  no  more  expres¬ 
sive).  The  verification  problem  of  checking  that  a.  system  meets  its  specification, 

*  Supported  in  part  by  the  Office  oT  Naval  Research  under  contract  N000 14-91  -J-l  21 9, 
the  National  Science  Foundation  under  grant  CCR-8701 103,  and  by  DARPA/NSF 
under  grant  (.)(.) R-901 4363. 
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then,  red i ires  to  testing  language  inclusion  between  two  automata.  The  decision 
procedure  for  language  inclusion  typically  involves  the  complementation  of  the 
specification  automaton,  which  in  turn  relies  upon  det.ermini7a.ti0n  [9,  15]. 

To  capture  the  behavior  of  a.  real-time  system,  the  model  of  computation 
needs  to  be  augmented  with  a  notion  of  time.  For  this  purpose,  timed  au¬ 
tomata  [3]  provide  a  simple,  and  yet.  powerful,  way  of  annotating  state-transition 
graphs  with  timing  constraints,  using  finitely  many  real-valued  variables  called 
clock*.  A  timed  automaton,  then,  accepts  tim.r.d  word*  strings  in  which  each 
symbol  is  paired  with  a.  real-valued  time-stamp.  While  the  theory  of  timed  au¬ 
tomata.  allows  the  automatic  verification  of  certain  real-time  requirements  of 
finite-state  systems  [1,  3,  4,  8],  and  the  solution  of  certain  delay  problems  (2. 
6],  the  general  verification  problem  (i.e.,  language  inclusion)  is  undecida.ble  for 
timed  automata  [3].  This  is  because,  unlike  in  the  untimed  case,  the  nonde- 
terministic  variety  of  timed  automata,  is  strictly  more  expressive  than  the  de¬ 
terministic  variety.  The  notion  of  nondeterminism  allowed  by  timed  automata., 
therefore,  seems  too  permissive,  and  we  hesitate  to  accept  timed  automata,  as 
the  canonical  model  for  fii  ite-state  real-time  computation  [5]. 

In  this  paper,  we  obtain  a.  det.ern1ini7.able  class  of  timed  automata,  by  re¬ 
stricting  the  use  of  clocks.  The  clocks  of  an  event.- clock  auf.nvn.aton  have  a.  fixed, 
predefined  association  with  the  symbols  of  the  input,  alphabet  (the  alphabet  sym¬ 
bols  typically  represent  events).  The  event- recording  clock  of  the  input,  symbol  a 
is  a.  history  variable  whose  value  always  equals  the  time  of  the  last  occurrence  of 
a  relative  to  the  current  time;  the  event-predicting  clock  of  a  is  a.  prophecy  vari¬ 
able  whose  value  always  equals  the  time  of  the  next  occurrence  of  a  relative  to 
the  current  time  (if  no  such  occurrence  exists,  then  the  clock  value  is  undefined). 
Thus,  unlike  a  timed  automaton,  an  event-clock  automaton  does  not  control  the 
renssignment.s  of  its  clocks  and,  at  each  input  symbol,  all  clock  values  of  the 
automaton  are  determined  solely  by  the  input  word.  This  property  allows  the 
det.erminization  of  event-clock  automata,  which,  in  turn,  leads  t.o  a  complemen¬ 
tation  procedure.  Indeed,  the  class  ECA  of  event-clock  automata,  is  closed  under 
all  boolean  operations  (timed  automata  are  not  closed  under  complement),  and 
the  language  inclusion  problem  is  decidable  for  event-clock  automata,. 

While  event-predicting  clocks  are  useful  for  the  specification  of  timing  re¬ 
quirements,  a.ut.omatn.  that  contain  only  event- recording  clocks  (event-recording 
automata)  are  a  suitable  abstract  model  for  real-time  systems.  We  confirm  this 
claim  by  proving  that  event-recording  automata  are  as  powerful  ns  another  popu¬ 
lar  model  for  real-time  computation,  timed  transition  system s  [7].  A  timed  tran¬ 
sition  system  associates  with  each  transition  a.  lower  bound  and  an  upper  bound 
on  the  time  that,  the  transition  may  be  enabled  without,  being  taken  (ninny 
related  real-time  formalisms  also  use  lower  and  upper  time,  bounds  to  express 
timing  constraints  [13,  14]).  A  run  of  a.  timed  transition  system,  then,  is  again 
a  timed  word  a  sequence  of  time-stamped  state  changes.  We  construct,  for  a. 
given  timed  transition  system  T  with  a  finite  set  of  states,  an  event- recording 
automaton  that  accepts  precisely  the  runs  of  T.  This  result,  lends  to  an  algorithm 
for  checking  the  equivalence  of  two  finite  timed  transition  systems. 


2  Event-clock  Automata 


Timed  words  and  timed  languages 

We  study  formal  languages  of  timed  words.'1  A  timr.d  word  w  over  nn  alphabet,  E 
is  a.  finite  sequence  (no,*n)(«i ,*i). .  •  («„,<„)  of  symbols  a,  £  E  that  are  paired 
with  nonnoga.tive  real  numbers  f ;  €  R+  such  that  the  sequence  i  =  t\ ti  .  ■ .  tn  of 
time-stamps  is  nondecreasing  (i.e.,  <  t;+ ,  for  all  0  <  i  <  n).  Sometimes  we 

denote  the  timed  word  w  by  the  pair  (n,F).  A  timr.d  language  over  the  alphabet.  E 
is  a.  set  of  timed  words  over  E.  The  boolean  operations  of  union,  intersection, 
and  complement  of  timed  languages  are  defined  a.s  usual.  Given  a.  timed  language 
£  over  the  alphabet  E%  the  projection  Untimr.(C)  is  obtained  by  discarding  the 
time-stamps:  Untimr.(C)  C  E *  consists  of  all  strings  a  for  which  there  exists  a 
sequence  f  of  time-stamps  such  that  (S,f)  £  £. 

Automata  with  clocks 

Timed  automata  are  finite-state  machines  that  are  constrained  with  timing  re¬ 
quirements  so  that  they  accept,  (or  generate)  timed  words  (and  thus  define  timed 
languages);  they  were  proposed  in  [3]  a.s  an  abstract  model  for  finite-state  real¬ 
time  systems.  A  timed  antomaton  operates  with  finite  control  a  finite  set  of 
locations  and  a.  finite  set  of  real-valued  variables  called  clocks.  Each  edge  between 
locations  specifies  a,  set  of  clocks  to  be  reset,  (i.e.,  restarted).  The  value  of  a  clock 
always  records  the  amount  of  time  that  has  elapsed  since  the  last  time  the  clock 
was  reset:  if  the  clock  z  is  reset  while  reading  the  i-t.h  symbol  of  a  timed  input 
word  (d,  f),  then  the  value  of  z  while  reading  the  ;-t,h  symbol,  for  j  >  i,  is  t.j  —  t.i 
(assuming  that  the  clock  z  is  not  reset,  at  nny  position  between  i  and;).  The 
edges  of  the  automaton  put,  certain  arithmetic  constraints  on  the  clock  values; 
that  is,  the  automaton  control  may  proceed  along  an  edge  only  when  the  values 
of  the  clocks  satisfy  the  corresponding  constraints. 

Each  clock  of  a.  timed  automaton,  therefore,  is  a.  real-valued  variable  that 
records  the  time  difference  between  the  current  input  symbol  and  another  in¬ 
put  symbol,  namely,  the  input  symbol  on  which  the  clock  was  last  reset.  This 
associa  tion  between  clocks  and  input  symbols  is  determined  dynamically  by  the 
behavior  of  the  automaton.  An  event-clock  automaton,  by  contrast,  employs 
clocks  that  have  a.  tight,  predefined,  association  with  certain  symbols  of  the 
input  word.  Suppose  that  we  model  a.  real-time  system  so  that  the  alphabet 
symbols  represent  events  of  the  system.  In  most  cases,  it  will  suffice  to  know,  for 
each  event,,  the  time  that,  has  elapsed  since  the  last,  occurrence  of  the  event..  For 
example,  to  model  a  delay  of  1  to  2  seconds  between  the  input,  and  output,  events 
of  a.  device,  it.  suffices  t.o  use  a.  clock  z  that,  records  the  time  that,  has  elapsed 
since  the  last,  input  event,  and  require  the  constraint,  1  <  z  <  2  when  the  output 
event  occurs.  This  observation  leads  us  t.o  the  definition  of  clocks  that  have  a 
fixed  association  with  input,  symbols  and  cannot,  be  reset  arbitrarily. 

■’  For  the  clarity  of  exposition,  we  limit  ourselves  to  Unite  words.  Our  results  can  lie 
extended  to  the  framework  ofw-languages. 


Event-recording  and  event-predicting  clocks 

Let  E  ho  a  finite  alphabet.  For  every  symbol  a  £  E,  we  write  xa  to  denote  the 
cvcnt-rccording  clock  of  a.  Given  a  timed  word  u:  =  («n,<o)(«i  ,*i)  ••■  (««,<»>)» 
the  value  of  the  clock  xa  at  the  j-t.h  position  of  v:  is  tj  —  %vhere  i.  is  the  largest, 
position  preceding  j  such  that  equals  a.  If  no  occurrence  of  a  precedes  t.he 
j-t.h  position  of  w,  then  t.he  value  of  the  clock  xn  is  :‘undofincd,”  denoted  by  X. 
We  write  R*  =  R+  U  {  X}  for  t.he  set  of  nonnega.t.ive  real  numbers  together  with 
the  special  value  X.  Formally,  we  define  for  all  0  <  j  <  n, 

{tj  -  t,  if  there  exists  i  such  that.  0  <i  <  j  and  a,  =  a 
and  for  all  k  with  i  <  k  <  j ,  a *  ^  a, 

X  if  n.k  a  for  all  k  with  0  <  k  <  j. 

That,  is,  t.he  event-recording  clock  .r„  behaves  exactly  like  an  automaton  clock 
that  is  reset,  every  time  t.he  automaton  encounters  t.he,  input  symbol  n.  The 
value  of  r„,  therefore,  is  determined  by  t.he  input,  word,  not.  by  t.he  automaton. 
Auxiliary  variables  that  record  t.he.  times  of  last  occurrences  of  events  have  been 
used  extensively  in  real-time  reasoning,  for  example,  in  t.he  context.  of  model- 
checking  for  timed  Pet.ri  nets  [17],  and  in  assertional  proof  methods  [11,  14], 
Event-recording  clocks  provide  timing  information  about,  events  in  t.he  past,. 
The  dual  notion  of  event-predicting  clocks  provides  timing  information  about, 
future  events.  For  every  symbol  a  £  E,  we  write  yn  t.o  denote  t.he  event-predicting 
clock  of  a.  At.  each  position  of  the  timed  word  »7i,  t.he  value  of  the  clock  ya 
indicates  the.  time  of  the  next,  occurrence  of  a  relative  to  the  time  of  t.he  current, 
input  symbol;  the  special  value  X  indicates  t.he  absence  of  a.  future  occurrence 
of  a.  Formally,  we  define  for  all  0  <  j  <  n, 

(ti  —  tj  if  there  exists  i  such  that  j  <i.  <  n  and  a,  =  a 
and  for  all  k  with  j  <  k  <  i,  a*  ^  a, 

X  if  nt  ^  a  for  all  k  with  j  <  k  <  n. 

The  event.-prcdic.t.ing  clock  ya  can  be  viewed  as  an  automaton  clock  that,  is  reset, 
every  time  t.he  automaton  encounters  the  input  symbol  a,  t.o  a.  nondotcrminist.ir 
negative  starting  value,  and  checked  for  0  at  t.he  subsequent,  occurrence  of  a. 

We  write  Cs  for  the  set,  |  n  E  J?)  of  event-recording  and  event- 

predicting  clocks.  For.  each  position  j  of  a.  timed  word  »i),  the  clock-valuation 
function  val(iv,j),  then,  is  a.  mapping  from  CV  to  R*.  The  clock  constraints 
compare  clock  values  t.o  rational  constants  or  to  the  special  value.  X.  Let  Q  j 
denote  the  set,  of  nonnega.t.ive  rational  numbers  together  with  X.  Formally,  a.  clock 
constraint,  over  t.he  set.  C  of  clocks  is  a.  boolean  combination  of  atomic  formulas  of 
the  form  z  <  r.  and  z  >  c,  where  z  £  C  and  c  £  Q±.  The  clock  constraints  over  C 
are  interpreted  with  respect,  t.o  clock-valuntion  functions  from  C  t.o  R+:  t.he  atom 
X=X  evaluates  to  true,  and  all  other  comparisons  that,  involve  X  (e.g.,  X>  3) 
evaluate  t.o  false.  For  a.  clock-valuation  function  7  and  a.  clock  constraint  m,  we 
write  7  |=  m  to  denote  that  according  to  7  the  constraint.  <f>  evaluates  to  true. 


Syntax  and  semantics  of  event-clock  automata 


An  event-clock  automaton  is  a  (nondoterministic)  finite-state  machine  whose 
edges  are  annotated  both  with  input  symbols  and  with  ock  constraints  over 
event- recording  and  event-predicting  clocks.  Formally,  a.  even t-eloek  automaton . 
.1  consists  of  a  finite  input  alphabet.  17,  a  finite  set  L  of  locations,  a.  set  Ln  Q  L 
of  start,  locations,  a  set  L f  C  L  of  accepting  locations,  and  a.  finite  set  E  of 
edges.  Each  edge  is  a  quadruple  ((:,  a,  <b)  with  a.  source  location  f.  £  L,  a.  target, 
location  £  L,  an  input  symbol  a  £  17,  and  a  clock  constraint.  <j>  over  the 
clocks  Cz- 

Now  let  us  consider  the  behavior  of  an  event-clock  automaton  over  the  timed 
input  word  »f  =  (n<ii  ,  # i ) . . .  (a„,  #«)•  Starting  in  one  of  the  start  locations 

and  scanning  the  first  input  pair  («o,fo),  the  automaton  scans  the  input  word 
from  left  to  right,  consuming,  at.  each  step,  an  input  symbol  together  with  its 
time-stamp.  In  location  scanning  the  t-t.h  input,  pair  (a,,  /; ),  the  automaton  may 
proceed  to  location  (!  and  the  i  4-  1-st.  input  pair  iff  there  is  an  edge  a,  <j>) 
such  that,  a  equals  the  current  input  symbol  a;  and  val(u:,i)  satisfies  the  clock 
constraint  cb.  Formally,  a.  computation  of  the  event-clock  automaton  A  over  the 
timed  input,  word  'f  is  a.  finite  sequence 


■f. 


f-n+l 


of  locations  f.i  £  L  and  edges  r,;  =  £  E  such  that,  (:n  £  Ln  and 

for  all  0  <  i  <  n,  val(u:,i)  A;;  the  computation  is  accepting  if  /:„+1  £  Lf.  The 
timed  language  £(A)  defined  by  the  event-clock  automaton  A,  then,  consists  of 
all  timed  words  if  such  that.  A  has  an  accepting  computation  over  if.  We  write 
EC  A  for  the  class  of  timed  languages  that,  are  definable  by  event-clock  automata.. 

The  event-clock  automaton  A  is  an  event.- recording  automaton  if  all  clock 
constraints  of  .-1  contain  only  event.- recording  clocks;  A  is  an  event-predicting 
automaton  if  the  clock  constraints  of  A  contain  only  event-predicting  clocks. 
The  class  of  timed  languages  that  can  be  defined  by  these  two  restricted  types 
of  event-clock  automata,  are  denoted  ERA  and  EPA,  respectively. 


Examples  of  event-clock  automata 

The  event-clock  automaton  A]  of  Figure  2  uses  two  event-recording  clocks,  ,rn 
and  r*.  The  location  ('a  is  the  start,  location  of  Ai,  and  also  the  sole  accepting 
location.  The  clock  constraint.  ra  <  1  that,  is  associated  with  the  edge  from 
l'i  to  f.n  ensures  that  c  occurs  within  1  time  unit  of  the.  preceding  a.  A  similar 
mechanism  of  checking  the  value  of  xj,  while  rending  d  ensures  that,  the  time 
difference  between  I .  and  the  subsequent,  d  is  always  greater  than  2.  Thus,  the 
timed  language  £(  Ai )  defined  by  Ai  consists  of  all  timed  words  of  the  form 
((nht:d)m ,t)  such  that  m  >  0  and  for  all  0  <  j  <  m,  f.<j+t  <  t.,j  +  1  and  t.<j+n  > 
t  ij+]  +  2.  Note  that,  the  timed  language  C(A\ )  can  nlso  be  defined  using  event- 
predicting  clocks:  require  yr  <  1  while  rending  a,  and  ijj  >  2  while  reading  h. 

The  duality  of  the  two  types  of  clocks  is  further  illustrated  by  the  automata 
of  Figure  2.  The  event-recording  automaton  A?  accepts  all  timed  words  of  the 


Fig.  1.  Kv«rit- recording  Hiilofrialon  A \ 


Fig.  2.  F,venl.-rec.ording  automaton  A-j  and  event-predicting  automaton  A.i 


form  (ab*b,  t)  such  that  the  t.imc.  difference  between  t.he  two  extreme  symbols  is  1 , 
which  is  enforced  by  the  event-recording  clock  xa.  It.  is  easy  to  check  that  there 
is  no  event-predicting  automaton  that  defines  the  timed  language  £( A?  )■  The 
event-predicting  automaton  As,  on  the  other  hand,  accepts  all  timed  words  of 
the  form  (ea*/),  i)  such  that  the  time  difference  between  the  two  extreme  symbols 
is  1;  for  this  purpose,  the  event-predicting  clock  yh  is  used  to  predict  the  time  of 
the  first  b.  There  is  no  event-recording  automaton  that,  defines  £(As). 


3  Deterministic  Event-clock  Automata 

A  finite-state  machine  (with  a  single  start  location)  is  deterministic  iff  all  input 
symbols  that,  label  edges  with  the  same  source  location  are  pairwise  distinct.  Wo 
consider  for  event-clock  automata,  the  notion  of  determinism  tha  t,  was  proposed 
for  timed  automata  in  [3].  The  event-clock  automaton  .4  —  { E ,  L.  La-  L / .  E) 
is  dr.tr.rmini.it.ir.  if  .4  has  a.  single  start,  location  (i.o.,  |Ln|  =  1)  and  any  two 
edges  with  the  same  source  location  and  the  same  input,  symbol  have  mutually 
exclusive  clock  constraints;  that,  is,  if  a,  ij>})  £  E  and  ((',  (:" ,  a,  )  £  E  then 

for  all  clock-valuation  functions  7,  if  7  j=  ©,  then  7  dj.  The  determinism 
condition  ensures  that,  at  each  step  during  a  computation,  the  choice  of  t.he  next, 
edge  is  uniquely  determined  by  the  current  location  of  the  automaton,  t.he  input, 
word,  and  t.he  current,  position  of  t.he  automaton  along  the  input,  word.  It.  is 
easy  t.o  check  that,  every  deterministic  event-clock  automaton  has  a.t,  most,  one 
computation  over  any  given  timed  input,  word. 

Of  our  examples  from  t.he  previous  section,  the  event-clock  automata  .4, 
and  As  are  deterministic.  While  the  automaton  A 2  is  nondeterminist.ic,  it  can 


bn  det.erminized  without,  changing  its  language,  by  adding  the  clock  constraint 
xa  <  1  to  the  self-loop  a.t,  location  t\ . 

In  the  theory  of  finite-state  machines,  it  is  well-known  that,  every  nondet.er- 
ministic  automaton  can  be  determinized;  that,  is,  the  deterministic  and  nondo- 
terminstie  varieties  of  finite-state  machines  define  the,  same  class  of  languages 
(the  regular  languages).  In  the  case  of  timed  automata.,  however,  the  nondeter- 
ministir.  variety  is  strictly  more  expressive  than  its  deterministic  counterpart.  [3], 
We  now  show  that,  the  evcnt.-clock  automata  form  a.  dotcrminizable  subclass  of 
the  timed  automata.. 

Theorem  1  (Determinization).  For  r.vr.ry  event- clock  (event-recording;  event- 
prr.dir.ting)  automaton  A,  them  is  a  deterministic  event-clock  (event-recording; 
event-predicting)  automaton  that  defines  /1(A). 

Proof.  Let  .4  be  the  given  event-clock  automaton  with  the  location  set.  L.  The 
locations  of  the  det.erminized  automaton  Dct.(A)  arc  the  nonempty  subsets  of  L. 
Consider  a.  location  L'  C  L  of  Dr.t.(A),  and  an  input  symbol  a  £  E.  Let.  E'  C  E 
be  the  set  of  all  n-labeled  edges  of  A  whose  source  locations  are  in  L' .  Then,  for 
every  nonempty  subset.  E"  C  E' ,  there  is  an  edge  from  L'  to  L"  labeled  with  the 
input  symbol  a  and  the  clock  constraint  <j>  iff  L"  contains  precisely  the  target 
locations  of  the  edges  in  E" ,  and  <p  is  the  conjunction  of  all  clock  constraints 
of  E"-edges  and  all  negated  clock  constraints  of  ( E'  —  E")-edges.  It  is  easy  to 
check  that,  the  clock  constraints  on  different  n-labeled  edges  starting  from  L'  are 
mutually  exclusive.  ■ 

Notice  that  the  determinization  of  an  event-clock  automaton  causes  an  expo¬ 
nential  blow-up  in  the  number  of  locations,  but  changes  neither  the  number  of 
clocks  nor  the  constants  t,ha.t.  occur  in  clock  constraints. 

The  key  for  the  determinization  of  event-clock  automata  is  the  property  tha  t 
at  each  step  during  a.  computation,  all  clock  values  are  determined  solely  by 
the  input  word.  We  therefore  obtain  derminizahlo  superclasses  of  evcnt.-clock 
automata,  if  we  add  more  clocks  that  do  not  violate  this  property.  For  example, 
for  each  input,  symbol  a  and  each  natural  number  i,  we  could  employ  a  clock 
:‘n  that  records  the  time  since  the  i-t.h  occurrence  of  a,  and  a.  clock  x’n  that 
records  the  time  since  the  i-t.h-to-last  occurrence  of  a  (i.e.,  xa  =  .r’  ).  Or,  more 
ambitiously,  we  may  want,  to  use  for  each  linear  temporal  formula.  < p  a  formula- 
recording  clock  Tyf  that,  measures  t.he  time  since  the  last  position  of  the  input, 
word  at.  which  p  was  true,  and  a,  formula-predieting  clock  that  measures  the 
time  until  t.he  next,  position  at  which  p  will  be  true. 


4  Properties  of  Event-Clock  Automata 

Event-clock  automata  as  labeled  transition  systems 

We  now  consider  an  alternative  semantics  for  event-clock  automata.,  using  labeled 
transition  systems.  Let.  A  =  ( E,  L,  Ln,  Lf,  E)  be  an  event-clock  automaton.  A 
state  of  A  is  a.  pair  (^’,7)  that,  consists  of  a  location  f.  £  L  and  a.  clock-valuation 


function  7  from  CV  to  R*,  which  determines  the  values  of  all  clocks.  The  state 
(f,7)  is  initial  if  f  6  In  and  7(r„)  — _L  for  nil  input,  symbols  a  £  I1;  (f,  7)  is  jmai 
if  I  G  1/  and  7(1/,,)  =  -L  for  nil  a  £  17 .  We  write  S4  for  the  (infinite)  set.  of  states 
of  the  event-clock  automaton  .4  and  define  a  labeled  transition  relation  over  S 4 
to  capture  the  behavior  of  A  over  timed  words. 

For  two  states  s, s'  £  Sa,  an  input  symbol  a  £  E,  nnd  a.  real-valued  time 
delay  A  £  R+,  let.  s— *s'  if  the  automaton  .4  may  proceed  from  the  state  s  to  the 
state  s'  by  reading  the  input  symbol  a,  and  let  s— »s'  if  A  may  proceed  from  s 
to  s'  by  letting  time  A  pass.  Formally,  (/:,  7)— >(!:',  7')  if  there  is  a.  clock-valuation 
function  7"  and  an  edge  ((:,?,  a,  <f>)  £  E  such  that,  7  =  7"[ya  :=  0]  (i.e.,  7  agrees 
with  7"  on  all  clocks  except.  t/„,  which  in  7  evaluates  to  0),  7'  =  ~/"[-rn  0], 

and  7  \=  (j>\  nnd  ((:,  7)— i >(f',  7')  if  (’■  —  nnd  for  all  input  symbols  />  £  E, 

1.  if  7 (i-k)  =_L  then  7 '(xi.)  =1,  else  7 '(n)  =  7(.n)  +  A; 

2.  if  7'(»/a)  =1  then  7(1/1.)  =  jL,  else  7(1//,)  =  7 '(j/a)  4-  A. 

We  inductively  extend  the  labeled  transition  relation  to  timed  words:  s  s' 
there  is  a  state  s"  £  S a  such  that,  s-^+s"  and  s"^*s';  if  i/i  =  (<*<*, fn)  •••  («n. Li)  nnd 
ta'  =  rr(o.n+)(?fjl+, ),  then  s  -H-*  s'  if  there  is  a.  state  s"  such  that,  s  As"  and 
s"  "  +  l  '_l+'  "  s<  The  following  lemma,  shows  the  correctness  of  the  laheled- 

t.ransit.ion-system  semantics  for  event-clock  automata.. 

Lemma  2.  Thr.  event-clock  automaton  A  accept. .1  t.h.c  timed  word  u:  ’ff  s  s' 
for  seme  initial  state  s  and  som.e  final  stair,  s'  0/  A. 

The  region  construction 

The  analysis  of  timed  automata,  builds  on  the  so-called  region  construction, 
which  transforms  a.  timed  automaton  into  an  untimed  finite-state  machine  [1,  3], 
Here  we  apply  the  region  construction  *o  event-clock  automata..  We  consider 
again  the  given  event.-clock  automaton  /I  nnd  begin  with  defining  the  region- 
equivalence  relation  S*4  as  a.  finite  partition  of  the  infinite  state  space  5 4 . 

We  assume  that,  all  clock  constraints  of  ,4  contain  only  integer  constants 
(otherwise,  all  constants  need  to  be  multiplied  by  the  least,  common  multiple  of 
the  denominators  of  all  rational  numbers  that  appear  in  the  clock  constraints 
of  A).  Let  c  be  t.he  largest  integer  constant,  that  appears  in  a.  clock  constraint, 
of  A.  Informally,  two  clock-valuation  functions  7  and  7'  from  C's  to  R{  are 
region- equivalent,  written  7  =4  7',  if  7  and  7'  agree  on  which  clocks  have  the 
undefined  value  _!_,  agree  on  the  integral  pnrt.s  of  all  defined  clock  values  that, 
are  at.  most,  e,  and  agree  on  the  ordering  of  the  fractional  parts  of  all  defined 
clock  values  (t.he  fractional  part,  of  the  event-recording  clock  rn  according  to  7 
is  7(r„)  —  [7(rn  )J;  t.he  fract  ional  part,  of  the  event-predicting  clock  yn  is  fafy*  )1  - 
y(ija))-  Two  states  (f,  7),  (f',7')  €  Sa  tire  region- equivalent  if  (:  =  and  7=47 '. 
A  formal  definition  of  the  region-equivalence  relation  ^4  is  given  in  [3]. 

A  region  of  the  event-clock  automaton  A  is  an  =4 -equivalence  class  of  states 
in  Sa-  The  number  of  A-regions  is  finite  linear  in  the  number  of  locations, 
exponential  in  the  number  of  clocks  (that  is,  exponential  in  the  si7.e  of  the  input, 
alphabet),  and  exponential  in  the  size  of  the  clock  constraints  of  A.  The  region 


equivalence  is  inst.mment.nl  for  analyzing  event-clock  automata,  because  =  A  is  a 
bisimulation. 

Lemma 3.  For  all  states  si,s't,.s2  €  Sa  of  an  event-clock  automaton  A,  all 
input  symbol*  a  of  A,  ami  all  real-valued  time  delays  li  £  R+,  if  Sj  ~ 4  s'  and 
s  i  — ►  s2,  then  there  is  a  state  s2  £  Sa  and  a  time  delay  /)'  £  R+  such  that 
s 2  3? 4  s2  and. s,  — ►  s2 . 

Now  we  are  ready  to  define  the  region  automaton  Reg(A)  of  A,  an  untimed 
finite- state  machine  over  the  input  alphabet.  E.  The  locations  of  Reg(A)  are  the 
regions  of  ,4.  A  region  is  starting  if  it,  contains  an  initial  state  of  A,  and  accepting 
if  it  contains  a.  final  state  of  A.  There  is  an  edge  from  the  region  p  to  the  region 
p'  labeled  with  the  input,  symbol  n  if  there  are  two  states  s  £  p  and  .s'  £  p‘ ,  and 
a.  time  delay  li  £  R+,  such  that  .s  — *  .s'.  From  Lemmas  2  and  3  it.  follows  that 
the  region  automaton  Reg(A)  defines  the  untimed  language  Untimr.(£(A)). 

Theorem4  (Untiming).  For  every  event.- clock  aut.om.aton  A,  the  untimed  lan¬ 
guage  Unt.xme(C(A))  is  regular. 

Closure  properties  and  decision  problems 

While  the  class  of  timed  automata,  is  not  closed  under  complement,  and  the 
language  inclusion  (verification)  problem  for  timed  automata  is  undecidable,  the 
subclass  of  event-clock  automata  is  well-behaved. 

Theorem  5  (Closure  properties).  Each  of  the  classes  ECA,  ERA,  and  EPA 
of  t.im.ed  languages  are  closed  under  union,  intersection,  and  complement.. 

Proof.  Closure  under  union  is  trivial,  because  event-clock  automata  admit,  multi¬ 
ple  start,  locations.  Closure  under  intersection  is  also  straightforward,  because  the 
standard  automata-theoretic  product  construction  A1  x  A2  for  two  given  event- 
clock  (event-recording;  event-predicting)  automata.  A)  and  A2  yields  an  event- 
clock  (event-recording;  event-predicting)  automaton.  Closure  under  complement, 
relies  on  the  det.erminiza.t.ion  construction:  given  an  event-clock  (event,- recording; 
event, -predicting)  automaton  A,  the  event-clock  (event-recording;  evcnt.-predict- 
ing)  automaton  -'Dr.t(A)  that  results  from  complementing  the  acceptance  condi¬ 
tion  of  Det{A)  (interchange  the  accepting  and  the  nonaccept.ingstat.es  of  Det.(A)) 
defines  the  complement,  of  the  timed  language  £(  A ).  ■ 

Unlike  (nondot.erministic.)  timed  automata,  however,  event-clock  automata,  are 
not.  closed  under  hiding  and  renaming  of  input,  symbols.  This  is  because  the 
timed  language  C  that,  contains  all  timed  words  w  =  (a,  t)  over  a  unary  alphabet, 
in  which  no  two  symbols  occur  with  time  difference  1  (i.e.,  fj  —  ti  yl  1  for  all 
positions  i  and  j  of  iu)  cannot,  be  defined  by  a.  timed  automaton  [3).  With  com¬ 
plementation  and  renaming  (or  hiding),  on  t.he  other  hand,  C  is  easily  definable 
from  a.  language  in  ERA  0  EPA. 

The  det.erminiza.t.ion,  closure  properties,  and  region  construction  can  be  used 
to  solve  decision  problems  for  eve.nt.-c.lock  automata.  To  check  if  the  timed  lan¬ 
guage  of  an  event-clock  automaton  A  is  empty,  we  construct,  t.he  region  automa¬ 
ton  Reg{A)  and  check  if  t.he  untimed  language  of  Reg  (A)  is  empty.  To  check  if 


the  language  of  the  rvrnt.-rlork  automaton  .4(  is  included  in  the  language-  of  the 
event-dock  automaton  Ai,  wo  det.erminizc  /12,  complement.  Or <(.42),  take  the 
product,  with  A\ ,  and  cheek  if  the  language  of  the  resulting  event-clock  automa¬ 
ton  .4 1  x  ~'Dr.t{A'i)  is  empty  by  constructing  the  corresponding  region  automaton. 

TheoremG  (Language  inclusion).  Thr.  prnhlem  of  checking  if  C{A\ )  C  £(.42) 
for  two  event- clock  automata  A t  and  A 2  m  decidable  tn  PSPACE. 

On  the  other  hand,  the  problem  of  checking  if  the  language  of  a  given  event- 
recording  (or  event-predicting)  automaton  is  empty  can  he  shown  to  be  PSPAC'E- 
hard  (similar  to  the  hardness  proof  for  emptiness  of  timed  automata.  [3]). 

Relationship  between  classes  of  timed  automata 

We  briefly  review  the  definition  of  a.  timed  automaton  [3].  A  (nondeterminisric) 
timed  automaton  .4  consists  of  a.  finite  input,  alphabet  E,  a  finite  set  L  of  loca¬ 
tions,  a  set.  Ln  C  i  of  start,  locations,  a  set.  L j  C  L  of  accepting  locations,  a 
finite  set.  C  of  clocks,  and  a.  finite  set.  E  of  edges.  Each  edge  r.  is  labeled  with 
an  input  symbol,  a  clock  constraint  over  C,  and  a.  reset  condition  C,  C  C  that, 
specifies  the  clocks  that,  are  reset  to  0  when  the  edge  r.  is  traversed.  Every  timed 
automaton  .4,  then,  defines  a.  timed  language  C(A),  and  we  write  NTA  for  the 
class  of  timed  languages  that  are  definable  by  timed  automata..  The  class  NTA 
is  closed  under  union  and  intersection,  but.  not.  under  complement. 

The  definition  of  determinism  for  timed  automata  is  the  same  as  for  event- 
clock  automata.  We  write  DTA  for  the  class  of  timed  languages  that  are  definable 
by  deterministic  timed  automata.  Since  DTA  is  closed  under  all  boolean  opera¬ 
tions,  DTA  is  strictly  contained  in  NTA. 

Theorem  7  (Relationship  between  classes). 

(1)  ERA  g  EPA  (2)  EPA  g  ERA  (3)  ERA  U  EPA  C  ECA 

(4)  ECA  C  NTA  (5)  ERA  C  DTA  (6)  EPA  g  DTA 

(7)  DTA  g  ECA 

Proof.  For  (1),  the  language  of  the  event.- recording  automaton  .4 2  of  Figure  2 
is  not.  definable  by  an  event-predicting  automaton.  For  (2),  the  language  of 
the  event-predicting  automaton  At  of  Figure  2  cannot,  be  defined  by  an  event¬ 
recording  automaton.  Similarly,  for  (3)  it.  is  possible  to  combine  Ai  and  .4->  into 
an  event-clock  automaton  whose  language  is  neither  in  ERA  nor  in  EPA. 

Every  event-clock  automaton  can  be  tranlated  into  a  timed  automaton.  While 
the  translation  preserves  determinism  for  event-recording  automata,  event-pre¬ 
dicting  clocks  introduce  nondeterminism.  The  inclusions  (4)  and  (5)  follow.  In¬ 
clusion  (4)  is  strict,  because  ECA  is  closed  under  complement,  while  NTA  is  not. 
Inclusion  (5)  is  strict  because  of  (7).  For  (6),  the  timed  language  ((«'*/>,  <,>...<„)  | 
30  <  «  <  n.tn  -  t{  =  1}  is  in  EPA  but.  not.  in  DTA.  For  (7),  the  timed  language 
((nan, <n<i<2)  |  f 2  —  <0  =  1 }  is  in  DTA  but.  not.  in  ECA.  ■ 

In  [5],  we  defined  nnot.her  subclass  of  NTA  that  is  closed  under  all  boolean 
operations,  namely,  the  class  2DTA  of  timed  languages  that,  are  definable  by 


deterministic  t.woway  automata  that  can  road  t.ho  input  word  a.  hounded  number 
of  times.  While  ECA  is  easily  seen  to  he  contained  in  2DTA,  and  while  there 
are  obvious  similarities  between  event-predicting  clocks  and  the  t.woway  reading 
of  the  timed  input  word,  the  exact,  relationship  between  event-clock  automata, 
and  deterministic  t.woway  automata  remains  to  be  studied.  However,  because 
they  admit,  nondeterminism,  event-clock  automata  are  perhaps  more  suited  for 
specification  than  deterministic  t.woway  automata. 


5  Timed  Transition  Systems  as  Event-clock  Automata 

Timed  transition  systems 

A  transition  system  T  consists  of  a  set  S  of  states,  a.  set.  So  C  S  of  initial  sta  tes, 
and  a.  finite  set.  T  of  transitions.  Each  transition  r  6  T  is  a.  binary  relation  over  5. 
For  each  state  .s  £  S,  the  set  r(s)  gives  the  possible  r-successors  of  s;  that  is, 
r(.s )  =  {s'  |  (s,  s' )  £  r}.  The  transition  system  T  is  finite  if  the  set  S  of  states  is 
finite.  A  run  s  of  the  transition  system  T  is  a.  finite  sequence  s<i— Mi  — >  ■  ■  ■  — >s„ 
of  states  such  that  sn  £  So  and  for  all  0  <  i  <  n,  there  exists  a  transition  r,  £  T 
sueh  that  s1+,  £  r,( s , ) .  The  transition  r  is  enabled  at  the  t-th  step  of  the  run  s 
if  r(s;)  is  nonempty,  and  r  is  taken  at  the  t-th  step  if  Sj  £  t(s;_,)  (i.c.,  multiple 
transitions  may  be  taken  at  the  same  step).  A  variety  of  programming  systems, 
such  as  message-passing  systems  and  shared-memory  systems,  ran  be  given  a. 
transition-system  semantics  [12]. 

The  model  of  transition  systems  is  extended  to  timed  transition  systems  so 
that  it  is  possible  to  express  real-time  constraints  on  the  transitions  [7].  A  timed 
transition  system.  T  consists  of  a  transition  system  (5,  Sn,T)  and  two  functions 
/  and  u  from  T  to  R+  that  associate  with  each  transition  r  £  T  a.  lower  hound 
Ur)  and  an  upper  bound  «(r).  Informally,  the  transition  r  must  be  enabled 
continuously  for  at  least  l(r)  time  units  before  it  can  be  taken,  and  r  must  not 
be  enabled  continuously  for  more  than  t/.(r)  time  units  without  being  taken. 
Formally,  we  associate  a.  real-valued  time-stamp  with  each  state  change  along  a. 
run.  A  timed  run  f  of  the  timed  transition  system  T  is  a.  finite  sequence 


of  states  .Sj  £  S  and  nondecreasing  time-stamps  t\  £  R+  such  that  .5  is  a.  run  of 
the  underlying  transition  system  and 

1.  Upper  Bound-,  if  r  is  enabled  at  all  steps  k  for  i  <  k  <  j ,  and  not.  taken  at. 
all  steps  k  for  i  <  k  <  j,  then  tj  —  t,  <  »/("); 

2.  Lower  Bound:  if  r  is  taken  at  the  j-th  step  then  there  is  some  step  i.  <  j 
such  that  tj  —t i  >  1(t)  and  r  is  enabled  at  all  steps  k  for  i  <  k  <  j ,  and  not 
taken  at  all  steps  k  for  i  <  k  <  j . 

In  other  words,  ta  is  the  initial  time,  and  the  transition  system  proceeds  from 
the  state  s,  to  the  state  ,st+i  at.  time  t1+, .  The  semantics  of  the  timed  transi¬ 
tion  system  T  is  the  set  of  timed  runs  of  T.  Two  timed  transition  systems  are 
equivalent  if  they  have  the  same  timed  runs. 


Front  timed  transition  systems  to  event-recording  automata 

Wo  now  show  that  the  set,  of  tinted  runs  of  a.  finite  timed  transition  system 
can  be  defined  by  an  event- recording  automaton.  For  this  purpose.,  we  nc  i  d  to 
switch  from  the  stn.t.o-hased  semantics  of  transition  systems  to  an  event-based 
semantics.  With  the  given  timed  run  r,  we  associate  the  tinted  word 

'Hr)  =  (<±,  *n),  to)  ((so,  Si),*i )((*,,  s2),  t2)  ...  ((s„_i,  *„),*„), 

where  1  is  a  special  symbol  not  in  S  (as  usual,  Sj.  =  SU  {1}).  Notice  that,  the 
tinted  run  r  and  the  corresponding  timed  word  v:(r)  contain  the  same  informa¬ 
tion:  each  event  (i.o.,  state  change)  of  r  is  modeled  by  a.  pair  of  states  a.  source 
state  and  a  target,  state.  Every  finite  tinted  transition  system  T  =  {S,T,  Sn,l,  ?/.), 
then,  defines  a  tinted  language  £(T)  over  the  alphabet  Sj_  x  S,  namely,  the  set 
of  tinted  words  iT:(f)  that  correspond  to  tinted  runs  r  of  T.  It  is  easy  t.o  check 
that,  two  timed  transition  systems  are  equivalent  iff  they  define  the  same  tinted 
language. 

Theorem  8  (Timed  transition  systems).  For  every  finite  timed  tra.mit.ion 
system  T,  there  is  an  event-recording  timed  automaton  At  that,  defines  the  timed 
language  C(T). 

Proof.  Consider  the  given  finite  tinted  transition  system  T.  Each  location  of  the 
corresponding  event-clock  automaton  At  records  a  state  s  £  S  and,  for  each 
transition  r  £  T,  a.  pair  of  states  (o{r),  ;?(r))  €  x  5  such  that  if  r  is  enabled 
in  s,  then  r  has  been  enabled  continuously  without  being  taken  since  the  last 
state  change  from  o(r)  to  /5(r).  In  addition,  we  use  a.  special  location  (:n  as  the 
sole  start  location  of  At.  Every  location  is  an  accepting  location. 

For  every  initial  state  .s0  £  So,  there  is  an  edge  from  f:n  to  (so,  (o,  ;?))  la¬ 
beled  with  the  input  symbol  (±,sn)  and  the  trivial  clock  constraint  true,  where 
<r(r)  =_L  and  /?( r )  =  s^  for  all  transitions  r  £  7.  In  addition,  there  is  an  edge 
from  (s,  (nr,/?))  to  (s',  (o',/?'))  labeled  with  the  input,  symbol  (s,  .s')  and  the 
clock  constraint  m  iff  there  is  a  transition  r  £  T  such  that,  (s,  .s')  £  r,  and  for  all 
transitions  r  £  T, 

1.  if  r  is  enabled  in  s  and  s'  £  r(s),  then  (o'(t),,'?'(t))  =  (o(r),  /?(—)),  else 
(o'(r),/?'(r))  =  (s,s'); 

2.  if  ~  is  enabled  in  s,  then  <s  contains  the  conjunct.  X(n(r)  gfr))  <  w.(r); 

3.  if  s'  £  t(s),  then  6  contains  the  conjunct  *(<*(r).;?(r)>  >  /(r). 

Notice  that  the  size  of  the  event-recording  automaton  dr  is  exponential  in  the 
size  of  the  timed  transition  system  T.  ■ 

To  check  if  two  timed  transition  systems  Ti  and  T?  are  equivalent,,  we  construct, 
the  corresponding  event-recording  automata  dr,  and  dr,  and  check  if  they 
define  the  same  timed  language. 

Corollary  9.  The  prohlr.m  of  cheeking  if  two  finite  timed  transition  systems  are 
equivalent  is  decidable  m  EXPSPACE. 
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